Recently I have had several people asking me about security trimming options in MOSS 2007. For the most part they knew the basics about what was available, however it seems as though many people might not understand what the real difference is and why someone might use one versus the other. I thought it might be helpful to point out a few tips around each of the available options.
I find this a pretty misunderstood piece of functionality and I should probably start by saying it is only available in MOSS 2007 so if you are just using WSS v3 then you are out of luck for using this feature. Many people equate audience targeting to a form of security trimming and it really isn't. The best description I can come up with is that it is more a content filter that allows a page or site author to scope the viewable content based on the audiences visiting the site. I.e. allowing design based on the users role when visiting the site as opposed to setting up multiple pages with multiple views. You can setup a single page and filter out content based on the "audience" you set. Probably the biggest thing I can restate here is this is not a security mechanism. Using this to filter a list view web part just stops the list view web part from displaying on that particular page for people outside the audience. Anyone with any knowledge of SharePoint can just go view the base list and see the data unless you make use of the Item level security as well.
Since not everyone may be aware of the different options available with audiences I thought I might share some useful audience tips that can help when trying to scope content in a SharePoint Site.
- SharePoint Groups - SharePoint Groups are a valid Target Audience mechanism. This is particularly useful in situations where the site administrators may not have access to Active Directory. This give any site administrator access to set up and modify his audiences. SharePoint Groups have the added benefit of allowing self-enrollment if the site administrator wants to setup a site that might have different levels of information and allow the users themselves to subscribe to what components they'd like.
- Domain Groups or Roles- If you are using Active Directory domain groups are a valid Target Audience and if you are using a Custom Authentication provider then don't worry you can use a Custom Role provider as an audience too. The nice part here is that many organizations already have groups setup for internal use that are perfect for targeting specific areas of an organization. The SharePoint site administrator has less control over the membership in the group, however this can be a plus to some in removing a level of complexity to troubleshooting problems.
- Audience Rules - Now these are actually very powerful and potentially the least understood. They can be setup to do a number of pretty nice things. They can basically be setup with multiple rules (which I will talk about in a little bit) and then setup to require a match to all rules or any rule. This allows a SharePoint Shared Services administrator to define and scope very flexible audiences that will update automatically as user information is changed and syncronized in to SharePoint. As far as rules go these can be as simple as belonging to a distribution list, security group or being a part of a specific area of the organizational hierarchy (if you have this setup in Active Directory) and they can have additional complexity like matching a specific user profile property. Group, list and organizational rules have operators of "Reports Under" and "Member Of". User profile property rules have operators of "Contains" and "Not Contains". So you could make a very simple rule to match all users that had the word Engineer in their Title property. Or you could make something more complex that matched if the users had listed SharePoint under their Skills and Manager in their Title that were members of the New Employee Orientation Team distribution list.
Item Level Security
This set of functionality is understood much better in general, however there are still a few questions people have. The most common question I come across is why does it have to be so difficult. Not an easy question to answer. Most people don't want to have to set permissions on each item and they see this as too difficult to manage. Since there is no specific way to deny permission to an object specifically. Instead you have to add users to the access list. Well I have a few suggestions on how to manage these issues.
Item Level Security Tips
- Folders and Views - Now that SharePoint lists allow folders there are a couple of shortcuts that can be used to set permissions easily on items. Creating a Folder to place items in allows you to set permissions on that folder and manage permissions in one place. Now in order to avoid showing these folders you can create a View that is set to show all items without folders. This would make the list appear normal to a user viewing the list and still automatically apply permissions to list items in these folders. This method works best for semi-static lists or else it requires a little training to make sure that users know the appropriate folder to create new items in.
- SharePoint Groups - Using SharePoint groups allows for easier management of item level security by allowing you to create groupings of users that you can reuse in many areas that are specific to the site collection. The other benefit here is it is possible to make SharePoint group membership private so that users that aren't a part of the group won't know who is.
There is probably more I could talk about between Item Level Security and Audience Targeting, however I might save that for another time.